similar to: Brute force attacks

Is there any asterisk guru who can explain me how how asterisk knows which context forward the call to? -- Joseph

Another good one is http://denyhosts.sourceforge.net/ It runs as a daemon, and can either ban IP's addresses all together, or just ban certain services. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Brian Marshall Sent: Thursday, November 16, 2006 9:33 AM To: CentOS mailing list Subject: Re: [CentOS] Re: IPTables

On 07:09, Fri 17 Nov 06, Sudev Barar wrote: > >You can use IPTables to limit the rate of connections. I allow only 2 > >connections from a given IP address within each 3 minute period. > > > >I know this is sloppy and lazy but can you post your iptables line > >that does this? > > > # Don't have a limit on my_trusted_domain > iptables -A INPUT -p tcp

Hello I'm no expert of iptables, and it seems like it can handle banning IP's that are trying to register and fail too many times. I'd like to use this feature instead of having to install a second tool such as SSHGuard or BFS that parses the logs and reconfigure iptables on the fly. Is there a good iptables configuration that I could use as reference? FWIW, the kernel is uClinux

Top of the morning all... So I reworked the pseudo IDS/Brute Force Asterisk script for those who want to either use it, or use it as a baseline to build a better one... The script now does a few things... It logs those with password issues, and blocks them as well. This was done to ensure that a remote user who was blocked can be found in the log. E.g., Sally the homemaker keeps fiddling

Say for instance you have some one trying to constantly access an account Has any of you made something creative like this: * configure that account to allow to login with any password * link that account to something like /dev/zero that generates infinite amount of messages (maybe send an archive of virusses?) * transferring TB's of data to this harassing client. I think it would be

Please do not assume anything other than what is written, it is a hypothetical situation A. With the fail2ban solution - you 'solve' that the current ip is not able to access you - it will continue bothering other servers and admins - you get the next abuse host to give a try. B. With 500GB dump - the owner of the attacking server (probably hacked) will notice it will be

Yes indeed, we have already own dnsbl's for smtp and ssh/ftp access. How do you have one setup for dovecot connections? -----Original Message----- From: James via dovecot [mailto:dovecot at dovecot.org] Sent: donderdag 11 april 2019 13:25 To: dovecot at dovecot.org Subject: Re: Mail account brute force / harassment On 11/04/2019 11:43, Marc Roos via dovecot wrote: > A. With the

On 11 Apr 2019, at 04:43, Marc Roos via dovecot <dovecot at dovecot.org> wrote: > B. With 500GB dump > - the owner of the attacking server (probably hacked) will notice it > will be forced to take action. Unlikely. What is very likely is that your ISP shuts you don for network abuse. > If abuse clouds are smart (most are) they would notice that attacking my > servers, will

On 11.04.2019 13:25, James via dovecot wrote: > On 11/04/2019 11:43, Marc Roos via dovecot wrote: > >> A. With the fail2ban solution >> ?? - you 'solve' that the current ip is not able to access you > > It is only a solution if there are subsequent attempts from the same > address.? I currently have several thousand addresses blocked due to > dovecot login

On 12.4.2019 10.21, James via dovecot wrote: > On 11/04/2019 14:33, Anton Dollmaier via dovecot wrote: > >>> Which is why a dnsbl for dovecot is a good idea.? I do not believe the >>> agents behind these login attempts are only targeting me, hence the >>> addresses should be shared via a dnsbl. >> >> Probably there's an existing solution for both

On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: > Weakforced uses Lua so you can easily integrate DNSBL support into it. How does this help Dovecot block? A link to some documentation or example perhaps? > We will not add DNSBL support to dovecot at this time. Is there a reason why you will not support this RFE?

On 12.4.2019 10.34, James via dovecot wrote: > On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: > >> Weakforced uses Lua so you can easily integrate DNSBL support into it. > > How does this help Dovecot block? > A link to some documentation or example perhaps? > > https://wiki.dovecot.org/Authentication/Policy You can configure weakforced to return status -1 when DNSBL

On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: > On 12.4.2019 10.34, James via dovecot wrote: >> On 12/04/2019 08:24, Aki Tuomi via dovecot wrote: >> >>> Weakforced uses Lua so you can easily integrate DNSBL support into it. >> How does this help Dovecot block? >> A link to some documentation or example perhaps? >> >> >

> On 12 April 2019 18:11 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: > > > > Probably there's an existing solution for both problems (subsequent > > attempts and dnsbl): > > > > >

> On 12 April 2019 21:45 Robert Kudyba via dovecot <dovecot at dovecot.org> wrote: > > > > You are running some kind of proxy in front of it. > > No proxy. Just sendmail with users using emacs/Rmail or Webmail/Squirrelmail. > > > If you want it to show real client IP, you need to enable forwarding of said data. With dovecot it's done by setting > >

Hi, What we do is: use https://github.com/trick77/ipset-blacklist to block IPs (from various existing blacklists) at the iptables level using an ipset. That way, the known bad IPs never even talk to dovecot, but are dropped immediately. We have the feeling it helps a lot. MJ On 4/12/19 10:27 AM, James via dovecot wrote: > On 12/04/2019 08:42, Aki Tuomi via dovecot wrote: >> On

On Fri, 12 Apr 2019, mj wrote: > What we do is: use https://github.com/trick77/ipset-blacklist to block IPs > (from various existing blacklists) at the iptables level using an ipset. "www.blocklist.de" is a nifty source. Could you suggest other publically available blacklists? > That way, the known bad IPs never even talk to dovecot, but are dropped > immediately. We

I was hoping to set up fail2ban to block IP addresses that generate too many Samba password failures, but it needs a syslog message with the IP address of the computer that failed password authentication. Unfortunately, Samba doesn't seem to do this in my environment. Here's a sample error message: smbd[312]: smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User brutus ! I

For many years I've been running ssh reverse tunnels on portable Linux, OpenWRT, Android etc. hosts so they can be accessed from a server whose IP is stable (I call such a server a "nexus host"). Increasingly there's a problem with brute force attacks on the nexus host's tunnel ports. The attack is forwarded to the portable tunneling host, where it fails, but it chews up